FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 25 - Security Profiles > Web filter > Configuring Web Filter Profiles

Configuring Web Filter Profiles

Enabling FortiGuard Web Filter

FortiGuard Web Filter is enabled and configured within web filter profiles by enabling FortiGuard Categories. The service is engaged by turning on the Web Filter profile and selecting a profile that has FortiGuard Categories enabled on one or more active policies being run by the firewall.

There is also a system wide setting for the enabling or disabling of FortiGuard Web Filter that is only in the CLI.

config system fortiguard

set webfilter-force-off

The two options on this setting are enable or disable. The syntax of the settings name is “force-off” so in order to enable FortiGuard Webfilter you have to choose disable for the setting and enable if you want to turn it off.

General configuration steps

  1. Go to Security Profiles > Web Filter.
  2. Determine if you wish to create a new profile, edit an existing one, or clone and edit an existing one.
  3. Select an Inspection Mode.
  4. If you are using FortiGuard Categories, enable the FortiGuard Categories, select the categories and select the action to be performed.
  5. Configure any Quotas needed. (Proxy Mode)
  6. Allow blocked override if required.(Proxy Mode)
  7. Set up Safe Search settings and/or YouTube Education settings. (Proxy & Flow-based)
  8. Configure Static URL Settings. (All Modes)
  9. Configure Rating Options. (All Modes)
  10. Configure Proxy Options.
  11. Save the filter and web filter profile.
  12. To complete the configuration, you need to select the security policy controlling the network traffic you want to restrict. Then, in the security policy, enable Web Filter and select the appropriate web filter profile from the list.

Configuring FortiGuard Web Filter settings

FortiGuard Web Filter includes a number of settings that allow you to determine various aspects of the filtering behavior.

Getting to the Edit Web Filter Profile configuration window

Once you have gotten to the profile configuration window there are a number of settings that can be used, most of which are optional. We will treat each of these options separately, but present the common instructions of how to get to the profile editing page here.

  1. Go to Security Profiles > Web Filter.
  2. Determine if you wish to create a new profile, edit an existing one, or clone and then edit an existing one.
  1. New profile:
  1. Select the Create New icon, in the upper right of the window (looks like a plus sign in a circle) OR
  2. Select the List icon, in the upper right (looks like a white rectangle with lines like text). Select the Create New icon in the upper left.
  1. Edit existing profile:
  1. Select the name of the profile that you wish to edit from the drop-down menu OR
  2. Select the List icon, in the upper right (looks like a white rectangle with lines like text. Highlight the name of the profile from the list and select Edit from the options above the list.
  1. Clone a profile:
  1. Select Clone icon in the upper right corner of the window (looks like one square overlapping another) OR
  2. Select the Listicon, in the upper right (looks like a white rectangle with lines like text. Highlight the name of the profile from the list and select Clone from the options above the list.
  1. Make sure there is a valid name, and comment if you want.
  2. Configure the settings to best achieve your specific requirements
  3. Select Apply or OK, depending on whether you are editing, creating, or cloning a profile.
note icon In older versions of FortiOS there was a character limitation for the URL of 2048 bytes or approximately 321 characters. If the URL you were trying to reach was longer the URL sent to FortiGuard would be truncated and the service would be unable to categorize the site. Starting in version 5 of the firmware, the parsed URL has been increase to 4 Kilobytes, effectively doubling the length of a URL capable of being categorized.

To configure the FortiGuard Web Filter categories

  1. Go to the Edit Web Filter Profile window.
  2. The category groups are listed in a widget. You can expand each category group to view and configure every sub-category individually within the groups. If you change the setting of a category group, all categories within the group inherit the change.
  3. Select the category groups and categories to which you want to apply an action.
    To assign an action to a category left click on the category and select from the pop up menu.
  4. Select Apply or OK.

Apply the web filter profile to an identity-based security policy. All the users subject to that policy are restricted by the quotas.

note icon If you look at your logs carefully, you may notice that not every URL connection in the log shows a category. They are left blank. If you take one of those URL and enter it in the FortiGuard website designed to show the category for a URL it will successfully categorize it.

The reason for this is that to optimize speed throughput and reduce the load on the FortiGuard servers the FortiGate does not determine a category rating on scripts and css files.

Configuring FortiGuard Category Quotas

  1. Go to the Edit Web Filter Profile window
  2. Verify that the categories that need to have quotas on them are set to one of these actions:
  • Monitor
  • Warning
  • Authenticate
  1. Under Category Usage Quota, Select Create New or Edit
  2. In the New/Edit Quota window that pops up, enable or disable the specific categories for that quota.
  3. At the bottom of the widget, select a quota type and daily allowance for each user:
  • Time -- can be entered in Hours, Minutes, or Seconds.
  • Traffic -- can be entered in Bytes, KB, MB, or GB.
  1. Select Apply or OK.
  2. Continue with any other configuration in the profile
  3. Select Apply or OK.

Apply the web filter profile to an identity-based security policy. All the users subject to that policy are restricted by the quotas.

note icon The use of FortiGuard Web Filtering quotas requires that users authenticate to gain web access. The quotas are ignored if applied to a security policy in which user authentication is not required.

Editing the web filter profile resets the quota timers for all users.

Configure Allowed Blocked Overrides

  1. Go to the Edit Web Filter Profile window.
  2. Enable Allow users to override blocked categories.
  3. Select the Groups that can override.
  4. Designate a temporary web filter profile under Profile can switch to
  5. Identify whether Switch applies to a User, User Group, IP, or Ask.
  6. Set the Switch Duration to Predefined or Ask.

Configure Search Engine Section.

  1. Go to the Edit Web Filter Profile window.
    There are three primary configuration settings in this section.
  2. Enable any of the three settings:
note icon Web Filter in flow mode does not support Safe Search

Configure Static URL Filter

Web Content Filter

To enable the web content filter and set the content block threshold
  1. Go to the Edit Web Filter Profile window.
  2. In the Static URL Filter section enable Web Content Filter.
  3. Select Create New.
  4. Select the Pattern Type.
  5. Enter the content Pattern.
  6. Enter the Language from the dropdown menu.
  7. Select Block or Exempt, as required, from the Action list.
  8. Select Enable.
  9. Select OK.

Configure Rating Options

Allow Websites When a Rating error Occurs

In the GUI, the configuration setting is limited to a checkbox.

Rate URLs by Domain and IP Address

In the GUI, the configuration setting is limited to a checkbox.

Block HTTP Redirects by Rating

In the GUI, the configuration setting is limited to a checkbox.

Rate Images by URL (Blocked images will be replaced with blanks)

In the GUI, the configuration setting is limited to a checkbox.

Configure Proxy Options

Restrict Google Account Usage to Specific Domains

Configuring the feature in the GIU

Go to Security Profiles > Web Filter.

In the Proxy Options section, check the box next to Restrict to Corporate Google Accounts Only.

Use the Create New link within the widget to add the appropriate Google domains that will be allowed.

Configuring the feature in the CLI

To configure this option in the CLI, the URL filter must refer to a web-proxy profile that is using the Modifying HTTP Request Headers feature. The command is only visible when the action for the entry in the URL filter is set to either allow or monitor.

  1. Configure the proxy options:

config web-proxy profile

edit "googleproxy"

config headers

edit 1

set name "X-GoogApps-Allowed-Domains"

set content "fortinet.com, Ladan.ca"

end

end

end

end

 

  1. Set a web filter profile to use the proxy options

config webfilter urlfilter

edit 1

config entries

edit "*.google.com"

set type wildcard

set action {allow | monitor}

set web-proxy-profile <profile>

end

end

end

end

In the CLI, you can also add, modify, and remove header fields in HTTP request when scanning web traffic in proxy-mode. If a header field exists when your FortiGate receives the request, its content will be modified based on the configurations in the URL filter.

Web Resume Download block

In the GUI, the configuration setting is limited to a checkbox.

Provide Details for Blocked HTTP 4xx and 5xx Errors

In the GUI, the configuration setting is limited to a checkbox.

HTTP POST Action

Remove Java Applet Filter

In the GUI, the configuration setting is limited to a checkbox.

Remove ActiveX Filter

In the GUI, the configuration setting is limited to a checkbox.

Remove Cookie Filter

In the GUI, the configuration setting is limited to a checkbox.